The Stuxnet worm is a wake up call to governments around the world. It is the first known worm to target industrial control systems and grants hackers unobstructed control of vital public infrastructures like power plants, dams and chemical facilities.

-- Derek Reveron, professor of national security at the U.S. Naval War School in Rhode Island

Information security is perhaps the hardest technical ﬁeld on the planet. Nothing is stable, surprise is constant, and all defenders work at a permanent, structural disadvantage compared to the attackers. Because the demands for expertise so outstrip the supply,the fraction of all practitioners who are charlatans is rising.

Just as we learned years ago in the crypto world that governments and government agencies do *not* have a monopoly on crypto talent, the same is true with malware development. It is a mistake to think that sophisticated malware means government sponsorship - - the talent pool putting together financially motivated targeted attacks for cybercrime has been leading the way for a long time.

Considering the anonymity of cyberspace, cybercrime may
in fact be one of the most dangerous criminal threats ever. A vital
component in fighting transnational crime must therefore include the
policing of information security and the provision of secure
communication channels for police worldwide based on common standards.

If we keep doing what we know doesn't work even "good enough", why keep
doing it? It wasn't until we accepted that there are things we can
never reliably know that we knew we had better find the limits to that
which we did know. So then at least we'd have that going for us. For
example we know that we can't reliably determine the impact of a
particular vulnerability for everyone in some big database of vulnerabilities because it will always depend on the means of
interactions and the functioning controls of the target being attacked.

Put simply, this means that spending hundreds of thousands of Pounds, Euros or Dollars on a security system, plugging it in and switching it on - then presuming your company is secure - is a totally inadequate approach, because it usually results in relatively poor levels of protection for your organization as the threats from criminals are constantly changing. Configuration, constant evaluation and constant updating of security rules are essential to the IT security of a business. Of course, the degree to which protection is needed is a matter of balancing risk and cost, and this equation is a unique business decision as with any other senior management process.

This article, written for ComputerWeekly.com by Forrester Research's Andrew Jaquith is a must read in its entirety. Here's a snippet to wet your appetite:

Successfully controlling the spread of sensitive information requires inverting conventional wisdom entirely, by planning as if the enterprises owned no devices at all.

Forrester calls this concept the "zero-trust model of information security", centered on the idea that security must become ubiquitous throughout your infrastructure. Simply put: treat all endpoints as hostile.

Just because a mobile site is meant to be viewed on a mobile browser with limited functionality doesn't mean an attacker can't load it in a normal browser and have full use of their powerful tools to bypass authentication, find vulnerabilities in non-standard encryption, and ultimately crack the site -- and the main data store behind it.

It's like having two doors to your bank vault.

Web applications of today are like the highly guarded front door fortified by mature security practices and fully capable of stopping an intruder. Mobile APIs are like the unguarded back door -- offering far easier access to would-be attackers.

Every piece of data on the Internet maps back to who created it and who they know. Where they were when they did it, where they've been and where they plan to go. What they are interested in, attend to, and interact with, and is around them, and when they do these things. The contextualization of the web in the world and the connection of the world to the web, mediated by the connections of people to each other, is forming a new Internet which has vast implications of privacy, identity, and innovation; and how we are going to structure our societies and our economies.

If they don’t know what it is, it’s an APT. While the attacks aren’t new — they have happened in the government world for a long time — the realization of what is going on is new. It can be difficult for an organization to sort out whether it is just a zero-day malware or if the organization is being specifically targeted. In the conventional world, if somebody launches a missile, you can pretty much understand what the intent is and you can attribute it. In the cyber world, if someone launches an attack, you might not be sure who is behind it and you don’t know what the intent is. In the military world, they make a distinction between information gathering and an actual attack.

Important Links

Dr.InfoSec

Connect with me

About Me

Chris, aka Dr.InfoSec, is passionate about helping organizations take stock of their cyber risks and manage those risks across the intricate landscape of technology, business, and people.Whether performing information security risk assessments, working alongside CIOs & CISOs to set and communicate strategic security priorities, or advising board members on effective governance of cyber risks, Chris enjoys working with business leaders to improve their organization's cyber risk posture.

Disclaimer

The views and opinions expressed here are those of Dr. Veltsos only and in no way represent the views, positions, or opinions of any previous, current, or future employers, clients, or associates.

All content on this blog is provided as general information and is for educational purposes only. It should not be construed as professional advice or guidance. All trademarks and copyrights on this blog belong to their respective owners.